Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Hacker empties high roller’s online Poker account of $115K

21 Sep 2012 8 Malware
Hacker empties high roller's online Poker account of $115K

Post navigation

Previous: Microsoft releases fix for Internet Explorer security hole, full patch coming Friday
Next: Emergency security patch issued by Microsoft to squash Internet Explorer zero day exploit
by Paul Roberts

Poker. Image from ShutterstockA high stakes online poker player says that an unknown hacker used a malicious image file to compromise his account and empty of it of more than $100,000 in winnings – the latest in what players say is a string of scams.

The player, who uses the handle _MicahJ_, claims that he was lured into a trap by a fellow member of a twoplustwo forums to an online poker game to size up his online holdings.

That user then sent an email containing a malicious image file that installed a keylogging Trojan on his system. The attacker then emptied the account of over $115,000 in poker winnings over three days.

“I knew I shouldn’t have opened it but didn’t think until after the matter. I contacted others on suspected scamming but couldn’t get anything done until it was too late,” he wrote.

According to the user, who did not immediately respond to requests for comment, the hacker – using the handle highgrind22 – gained access to an account at the website Lock Poker for three days. During that time he made small transfers out of the account to an account linked to a yahoo.com email address. The attacker also played in high stakes games, losing around $80,000 to another player.

The post, on Saturday, elicited hundreds of responses from twoplustwo users, most online poker players themselves. The ensuing conversation has become something of an online ‘whodunnit,’ with players attempting to uncover the identity of the attacker, and others stepping forward to clear their name from the scandal.

The list of suspects includes a twoplustwo forum member who uses the handle WHITNEYDOH, and who made tens of thousands of dollars in online winnings playing against what _MicahJ_ claims was a hacked account. After briefly having his account suspended by Lock Poker, however, that user was reinstated and claims innocence.

It is not known for sure if _MicahJ_ was the victim of a malicious software attack and, if he was, what kind of malware was used.

In posts to twoplustwo he claims to be a Mac user, which means that any malware used would have to work on that platform. Also unclear is whether Lock Poker provides any insurance for online holdings, or any monitoring to prevent sudden and unexplained account-to-account transfers.

LockPoker declined to comment. “We cannot disclose any findings of any investigation for privacy and security concerns,” the company said in an email to Naked Security. “Rest assured, we put a significant amount of time, resources and technology in minimizing the chances of fraud occurring.”

Online poker forums are a popular target for hackers, given the large sums of money that change against online gaming. In fact, twoplustwo was a victim of a hack in April that reportedly compromised the accounts of forum members.

In March, 2011, a 29 year-old man received two years in prison for hacking into a computer server, stealing and then laundering 400 billion virtual poker chips from the online gaming firm Zynga worth an estimated $12 million.

Past attacks, however, have focused on online poker platforms as much as players.

In 1999, researchers (including Adobe’s security boss Brad Arkin) famously identified an off-by-one error in a shuffling algorithm used by the Web site PlanetPoker.

That allowed the researchers to predict the outcome of supposedly “random” virtual deck shuffles used on the site.


Poker player image from Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Microsoft releases fix for Internet Explorer security hole, full patch coming Friday
Next: Emergency security patch issued by Microsoft to squash Internet Explorer zero day exploit

8 comments on “Hacker empties high roller’s online Poker account of $115K”

  1. Some guy says:
    September 21, 2012 at 12:28 pm

    According to Micah on 2+2, it was a file with .exe ending (bankstatement.jpg.exe) which he openened in his Windows emulator.

    Reply
    • Graham Cluley says:
      September 21, 2012 at 12:32 pm

      That sounds most likely.

      We have seen malware attacks spread via boobytapped image files before (exploiting vulnerabilities), but it's more common for malware to be spread using the old double-extension trick.

      Reply
      • njorl says:
        September 24, 2012 at 5:34 pm

        Your second paragraph makes me wonder whether I was mistaken to enjoy your irony, in the first.

        I haven't seen the user transaction for opening an Exe in a Windows emulator under Mac OS, but I'd guess there's an opportunity to realise what you're doing and cancel.

        Regardless, what appears to be being suggested is a Windows Exe which, running within the emulator, is able to install a key-logger on the host Mac OS. This would be similar to a virus breaking out of your test lab. VM to infect its host system. Probably not impossible but quite far into the impressive end of attack crafting.

        Reply
  2. Gavin says:
    September 24, 2012 at 4:17 pm

    I wonder if it's time for Microsoft (or some third party who can program a lot better than I) to build in a warning whenever a file has two extensions, each of which are three characters, and the last of which is executable.

    Knowledgeable people are not normally hoodwinked by it (though anyone can be caught off-guard), but it's too much to expect that all users need to know how extensions work, how one can be hidden and not the other, and so on.

    This isn't exactly Microsoft's problem (I'm laying no blame here), but I do see an opportunity for them to improve security by turning the file name red or having a pop-up warning when such a file is double-clicked (obviously with a "Don't show this again" check box too).

    — Gavin

    Reply
    • Deonast says:
      September 24, 2012 at 11:31 pm

      Doesn't help though that say in windows 7 for example by default the file extension is hidden in windows explorer. So it would be easy for users to see .jpg and not the .exe after and not think twice. I really think this dumbing down of the user experience is bad for security.

      Reply
  3. Marc says:
    September 25, 2012 at 4:57 am

    Speaking as someone on a pension who has to survive on a low income, I find it hard to feel any sympathy for anyone who has that kind of money to waste on gambling and is then stupid enough to click on things they shouldn't. 'So sad, too bad' is my feelings on the matter.

    Reply
  4. Dngr66 says:
    September 26, 2012 at 6:43 am

    That's pretty crazy. I don't know why he would keep that kinda money on any online site.
    But the thing sounds kinda fishy. He probably wanted to do some high stakes betting, so he "sent" it to a fake account and this was his backup plan.

    Reply
  5. HollyToft says:
    October 7, 2013 at 9:17 pm

    I would advise anyone who does regular financial transactions online to educate themselves to the world of online hacking, scams and such.
    And to remember that gambling is an extension of the Art of War… and he got taken down in a black op.
    Knowledge is power as they say.

    Reply

What do you think? Cancel reply

Recommended reads

Feb16
by Paul Ducklin
3

S3 Ep122: Stop calling every breach “sophisticated”! [Audio + Text]

Feb02
by Paul Ducklin
3

S3 Ep120: When dud crypto simply won’t let go [Audio + Text]

Feb07
by Paul Ducklin
2

VMWare user? Worried about “ESXi ransomware”? Check your patches now!

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP